From aff6bde08e75758bf32741964fffadffd52240f2 Mon Sep 17 00:00:00 2001
From: Barry Allard <barry.allard@gmail.com>
Date: Tue, 19 Mar 2013 18:30:48 -0700
Subject: [PATCH 1/7] [security] rails 3.2.12 -> 3.2.13

---
 Gemfile      |  2 +-
 Gemfile.lock | 50 +++++++++++++++++++++++++-------------------------
 2 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/Gemfile b/Gemfile
index 8615405..5090dd0 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'rails', '3.2.12'
+gem 'rails', '3.2.13'
 
 group :development do
   gem 'sqlite3'
diff --git a/Gemfile.lock b/Gemfile.lock
index 19a7491..37ed9df 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,12 +1,12 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (3.2.12)
-      actionpack (= 3.2.12)
+    actionmailer (3.2.13)
+      actionpack (= 3.2.13)
       mail (~> 2.4.4)
-    actionpack (3.2.12)
-      activemodel (= 3.2.12)
-      activesupport (= 3.2.12)
+    actionpack (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
@@ -14,18 +14,18 @@ GEM
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.2.1)
-    activemodel (3.2.12)
-      activesupport (= 3.2.12)
+    activemodel (3.2.13)
+      activesupport (= 3.2.13)
       builder (~> 3.0.0)
-    activerecord (3.2.12)
-      activemodel (= 3.2.12)
-      activesupport (= 3.2.12)
+    activerecord (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.12)
-      activemodel (= 3.2.12)
-      activesupport (= 3.2.12)
-    activesupport (3.2.12)
+    activeresource (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
+    activesupport (3.2.13)
       i18n (~> 0.6)
       multi_json (~> 1.0)
     amazon_flex_pay (0.9.13)
@@ -83,19 +83,19 @@ GEM
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (3.2.12)
-      actionmailer (= 3.2.12)
-      actionpack (= 3.2.12)
-      activerecord (= 3.2.12)
-      activeresource (= 3.2.12)
-      activesupport (= 3.2.12)
+    rails (3.2.13)
+      actionmailer (= 3.2.13)
+      actionpack (= 3.2.13)
+      activerecord (= 3.2.13)
+      activeresource (= 3.2.13)
+      activesupport (= 3.2.13)
       bundler (~> 1.0)
-      railties (= 3.2.12)
+      railties (= 3.2.13)
     rails_config (0.3.2)
       activesupport (>= 3.0)
-    railties (3.2.12)
-      actionpack (= 3.2.12)
-      activesupport (= 3.2.12)
+    railties (3.2.13)
+      actionpack (= 3.2.13)
+      activesupport (= 3.2.13)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
@@ -158,7 +158,7 @@ DEPENDENCIES
   jquery-rails
   pg
   pry-rails
-  rails (= 3.2.12)
+  rails (= 3.2.13)
   rails_config
   rspec-rails (~> 2.0)
   sass-rails (~> 3.2.3)

From beae31162cfa5069814ede1e4c0c43c5914558b0 Mon Sep 17 00:00:00 2001
From: Barry Allard <barry.allard@gmail.com>
Date: Tue, 19 Mar 2013 18:50:31 -0700
Subject: [PATCH 2/7] [security] require json ~> 1.7.7

---
 Gemfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Gemfile b/Gemfile
index 5090dd0..442556e 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,6 +1,7 @@
 source 'https://rubygems.org'
 
 gem 'rails', '3.2.13'
+gem 'json', '~> 1.7.7'
 
 group :development do
   gem 'sqlite3'

From dfc18affad136f1457fe18cda7c2f0ce17e9121f Mon Sep 17 00:00:00 2001
From: Barry Allard <barry.allard@gmail.com>
Date: Tue, 19 Mar 2013 18:51:16 -0700
Subject: [PATCH 3/7] [security - heroku] ruby 1.9.2 -> 1.9.3

---
 Gemfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Gemfile b/Gemfile
index 442556e..d2fc666 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,5 +1,7 @@
 source 'https://rubygems.org'
 
+ruby '1.9.3'
+
 gem 'rails', '3.2.13'
 gem 'json', '~> 1.7.7'
 

From 7827beb1830ad050df41e68ce070ab09e14f9a12 Mon Sep 17 00:00:00 2001
From: Barry Allard <barry.allard@gmail.com>
Date: Tue, 19 Mar 2013 18:55:36 -0700
Subject: [PATCH 4/7] [security] optionally specify a new secret token using
 RAILS_SECRET_TOKEN

---
 config/initializers/secret_token.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index 99cfc7b..cf19ec6 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -4,4 +4,4 @@
 # If you change this key, all old signed cookies will become invalid!
 # Make sure the secret is at least 30 characters and all random,
 # no regular words or you'll be exposed to dictionary attacks.
-Selfstarter::Application.config.secret_token = '686a073cf783e29dee02cb7544762d17a7c769acf7baa148a0d9726a39e45123532418f9ce7cd3def2ca0e3d5bff9d0b9ffd41f19b0c6b6dd9d0cc10b77fc5ae'
+Selfstarter::Application.config.secret_token = ENV['RAILS_SECRET_TOKEN'] || '686a073cf783e29dee02cb7544762d17a7c769acf7baa148a0d9726a39e45123532418f9ce7cd3def2ca0e3d5bff9d0b9ffd41f19b0c6b6dd9d0cc10b77fc5ae'

From ac289d2def6cb10a61ae1d31162012730e0e3fa0 Mon Sep 17 00:00:00 2001
From: Barry Allard <barry.allard@gmail.com>
Date: Tue, 19 Mar 2013 21:36:36 -0700
Subject: [PATCH 5/7] updated Gemfile.lock

---
 Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 37ed9df..a0f1495 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -56,7 +56,7 @@ GEM
     jquery-rails (2.1.4)
       railties (>= 3.0, < 5.0)
       thor (>= 0.14, < 2.0)
-    json (1.7.6)
+    json (1.7.7)
     mail (2.4.4)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)

From 961fd9c3fc0ccabe03e36b048b138cc77d81b843 Mon Sep 17 00:00:00 2001
From: Barry Allard <barry.allard@gmail.com>
Date: Tue, 19 Mar 2013 21:52:29 -0700
Subject: [PATCH 6/7] Gemfile.lock updated

---
 Gemfile.lock | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Gemfile.lock b/Gemfile.lock
index a0f1495..95cad1f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -156,6 +156,7 @@ DEPENDENCIES
   amazon_flex_pay
   coffee-rails (~> 3.2.1)
   jquery-rails
+  json (~> 1.7.7)
   pg
   pry-rails
   rails (= 3.2.13)

From 302cf7eb4d11aba9b76e99cc78dbb9e2d7e4a657 Mon Sep 17 00:00:00 2001
From: Barry Allard <barry.allard@gmail.com>
Date: Tue, 19 Mar 2013 22:32:24 -0700
Subject: [PATCH 7/7] [security] multi_xml, rack mandatory updates

---
 Gemfile.lock | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 95cad1f..1137e3a 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -10,7 +10,7 @@ GEM
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
       journey (~> 1.0.4)
-      rack (~> 1.4.0)
+      rack (~> 1.4.5)
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.2.1)
@@ -30,7 +30,7 @@ GEM
       multi_json (~> 1.0)
     amazon_flex_pay (0.9.13)
       activesupport (>= 3.0.14)
-      multi_xml (~> 0.2.0)
+      multi_xml (>= 0.5.2)
       rest-client (~> 1.6.1)
     arel (3.0.2)
     bourne (1.1.2)
@@ -66,8 +66,8 @@ GEM
     mime-types (1.19)
     mocha (0.10.5)
       metaclass (~> 0.0.1)
-    multi_json (1.5.0)
-    multi_xml (0.2.2)
+    multi_json (1.7.1)
+    multi_xml (0.5.3)
     pg (0.14.1)
     polyglot (0.3.3)
     pry (0.9.10)
@@ -76,10 +76,10 @@ GEM
       slop (~> 3.3.1)
     pry-rails (0.2.2)
       pry (>= 0.9.10)
-    rack (1.4.3)
+    rack (1.4.5)
     rack-cache (1.2)
       rack (>= 0.4)
-    rack-ssl (1.3.2)
+    rack-ssl (1.3.3)
       rack
     rack-test (0.6.2)
       rack (>= 1.0)